GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control.
Gameover Zeus, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.
Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. Gameover Zeus, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the resiliency of Gameover Zeus P2P infrastructure makes takedown efforts more difficult.
Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.
The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware’s aggressive URL matching algorithm.
Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware’s configuration file.
For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has “amazon” in it, including https://www.f-secure.com/amazon.com/index.html.
“We can use this to ‘trick’ Gameover bots and make an easy check to see if an infection is present in your browser!” said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.
Tricking an infected PC to “bite”
Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.
“We search for the string ‘LoadInjectScript’,” Tikkanen said. “If the string is found on the page, we know Gameover Zeus has infected your browser!”
The test is not perfect though, because the malware doesn’t support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.
F-Secure also provides a free online scanner that is capable of detecting and removing the threat.
Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.
According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.
The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it’s possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.